IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Support multiple local domain ranges with RID base set

Browse Source 
In ip-adtrust-install, "adding RID bases" step would fail
if there was more than one local range defined. This can be a
common case if e.g. there are users that migrated from previous
IdM solution.

With this patch, we fail only if there are multiple local ranges
that do not have RID bases set.

Keep in mind that overlap checking is ensured by ipa-range-check
DS plugin.

https://fedorahosted.org/freeipa/ticket/3498
This commit is contained in:
Tomas Babej
2013-05-13 13:19:12 +02:00
committed by Martin Kosek
parent 0b5c0286ed
commit 7310395047
1 changed files with 34 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
ipaserver/install/adtrustinstance.py
View File

@@ -258,36 +258,54 @@ class ADTRUSTInstance(service.Service):
"""
try:
res = self.admin_conn.get_entries(
# Get the ranges
ranges = self.admin_conn.get_entries(
DN(api.env.container_ranges, self.suffix),
ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)")
if len(res) != 1:
root_logger.critical("Found more than one ID range for the " \
"local domain.")
raise RuntimeError("Too many ID ranges\n")
if res[0].single_value('ipaBaseRID', None) or \
res[0].single_value('ipaSecondaryBaseRID', None):
# Filter out ranges where RID base is already set
no_rid_base_set = lambda r: not any((
r.single_value('ipaBaseRID', None),
r.single_value('ipaSecondaryBaseRID', None)))
ranges_with_no_rid_base = filter(no_rid_base_set, ranges)
# Return if no range is without RID base
if len(ranges_with_no_rid_base) == 0:
self.print_msg("RID bases already set, nothing to do")
return
size = res[0].single_value('ipaIDRangeSize', None)
# Abort if RID base needs to be added to more than one range
if len(ranges_with_no_rid_base) != 1:
root_logger.critical("Found more than one local domain ID "
"range with no RID base set.")
raise RuntimeError("Too many ID ranges\n")
# Abort if RID bases are too close
local_range = ranges_with_no_rid_base[0]
size = local_range.single_value('ipaIDRangeSize', None)
if abs(self.rid_base - self.secondary_rid_base) > size:
self.print_msg("Primary and secondary RID base are too close. " \
self.print_msg("Primary and secondary RID base are too close. "
"They have to differ at least by %d." % size)
raise RuntimeError("RID bases too close.\n")
# Modify the range
# If the RID bases would cause overlap with some other range,
# this will be detected by ipa-range-check DS plugin
try:
self.admin_conn.modify_s(res[0].dn,
[(ldap.MOD_ADD, "ipaBaseRID", \
str(self.rid_base)), \
(ldap.MOD_ADD, "ipaSecondaryBaseRID", \
self.admin_conn.modify_s(local_range.dn,
[(ldap.MOD_ADD, "ipaBaseRID",
str(self.rid_base)),
(ldap.MOD_ADD, "ipaSecondaryBaseRID",
str(self.secondary_rid_base))])
except:
self.print_msg("Failed to add RID bases to the local range object")
except ldap.CONSTRAINT_VIOLATION, e:
self.print_msg("Failed to add RID bases to the local range "
"object:\n %s" % e[0]['info'])
raise RuntimeError("Constraint violation.\n")
except errors.NotFound as e:
root_logger.critical("ID range of the local domain not found, " \
root_logger.critical("ID range of the local domain not found, "
"define it and run again.")
raise e